Key Information Vulnerability Type Stored XSS: Stored Cross-Site Scripting Affected Versions o2oa <= 10.0-410-g3d5e0d2 Vulnerability Description In the endpoint of o2oa, user-provided input (such as profile fields) is stored without sanitization and then rendered in the application, leading to persistent execution of malicious scripts. Exploitation Method (POC) When viewing the profile, the stored payload is executed, confirming the presence of XSS. Impact Persistent JavaScript execution in the victim's browser Potential theft of session tokens or sensitive user data Unauthorized operations performed under the authenticated user's identity Mitigation Recommendation Sanitize and escape user input before storage, and ensure proper output encoding when rendering data.